Brazil’s data protection authority opens public consultation on data protection officers

On November 7, 2023, the Brazilian Data Protection Authority (ANPD) initiated a public consultation on a draft regulation covering the roles of data protection officers (DPO).

According to the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD), DPOs act as official intermediaries between data controllers, data subjects, and the ANPD. Their responsibilities include receiving requests from data subjects, receiving communications from the ANPD, and promoting good data protection practices within organizations.

The draft regulation seeks to establish additional rules regarding the appointment, responsibilities, and activities of DPOs. The draft’s provisions address the following issues:

• Identification of the DPO on data controllers’ websites: The DPO’s identity and contact information must be prominently displayed and easily accessible on the data controller’s website. The draft provides that the term ‘identity’ refers to the DPO’s full name (if they are natural persons) or corporate name (if they are legal entities). Contact information must include communication channels to facilitate data subjects’ ability to exercise their rights and receive ANPD communications.
• Formal appointment: The DPO must be formally appointed. They may operate either directly within an organization’s structure, or under the terms of a third-party service agreement.
• Qualifications and characteristics: Data controllers must assess whether the DPO is professionally qualified to carry out their tasks in line with the context, volume, and risk of data processing operations. Qualifications should include knowledge of data privacy and protection principles and any other skills necessary for properly carrying out their responsibilities. The DPO must be able to clearly communicate in Portuguese with both data subjects and the ANPD.
• Autonomy: The DPO must be able to carry out their activities with autonomy and have access to the organization’s upper management.
• Conflicts of interest: The DPO may hold multiple roles and perform their duties for more than one data controller, provided they can fully meet their obligations to each data controller without creating any conflicts of interest. According to the draft regulation, a conflict of interest is presumed to exist when a DPO has a secondary role that involves making data processing decisions on the data controller’s behalf.
• DPO appointments by data processors: The appointment of a DPO by a data processor is optional, though it is considered a good governance practice.
• Other DPO responsibilities: the draft regulation introduces new responsibilities for DPOs beyond those already described in the LGPD, including guiding data controllers in reporting personal data security incidents, developing and implementing privacy best practice rules, conducting risk assessments, and preparing data protection impact assessment reports.
• Responsibility for compliance: The draft regulation specifies that DPOs are not responsible for data processing compliance as a result of carrying out their duties.

Other ANPD guidance on DPO activities

The ANPD has already published non-binding guidelines on this topic on its website (Guidelines for Data Processing Agents & Data Protection Officers). These guidelines intend to provide general clarification and recommendations while the draft regulation is still in progress. The current version of the guidelines is open for comments and contributions from the public, and may be updated as new regulations and interpretations are issued.

In addition to the public consultation, the ANPD has announced it will soon provide information about a public hearing to discuss this topic.

Interested parties may submit their contributions to the public consultation via the Participa + Brasil platform until December 7, 2023.

For further information on this subject, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.